Cookies Containing Sensitive Data
Cookies are vulnerable to man-in-the middle attacks if their secure
attribute does not match the session connection (HTTP or HTTPS).
A cookie that contains sensitive data, such as authentication information, should have its secure attribute set to true, and it should only be created and used
only within an HTTPS session. You should not rely on either the secure attribute alone or on the
SSL connection alone to protect the data.
Setting the secure attribute to true in an HTTP session
instructs the web browser to send the cookie only over a secure channel, such as an SSL connection.
However, subsequent requests and responses are over HTTP and unsecured, leaving the cookie
vulnerable.
Conversely, in an HTTPS session, issuing a cookie the secure attribute set
to false allows the browser to transmit it over unencrypted connections, which are
susceptible to eavesdropping.
Thus a cookie is vulnerable to man-in-the-middle attacks if:
secure="T"is specified in an HTTP connectionsecure="F"is specified in an HTTPS connection
Defense
- Only set
secure="F"if required. By default, Uniface setssecure="T". - Set
secure="T"to true for all cookies used by HTTPS sessions. - Use $encode and $decode to encrypt and decrypt the content when using HTTPS.
